[Discuss] Disabling UEFI and dual booting Linux and Windows

Tom Metro tmetro+blu at gmail.com
Fri Dec 7 17:52:26 EST 2012 

> State of Secure Boot detailed
> http://www.h-online.com/security/news/item/State-of-Secure-Boot-detailed-1741460.html
> 
>   Red Hat and Fedora developer Matthew Garrett has detailed the "range
>   of subtle changes" that have taken place since he began working on
>   Secure Boot support.
> [...]
> 
> Linux Foundation support for booting Linux on Windows 8 PCs delayed
> http://www.zdnet.com/linux-foundation-support-for-booting-linux-on-windows-8-pcs-delayed-7000007673/
> 
>   Bottomley...told me "We're all done and dusted with the signed
>   contract with Microsoft and the binary ready to release.  However,
>   I've been having bizarre experiences with the Microsoft sysdev
>   centre."

An update:

All Linux Distributions Get the Secure Boot Bootloader
http://news.softpedia.com/news/All-Linux-Distributions-Get-the-Secure-Boot-Bootloader-311259.shtml

  Matthew Garrett, ex-power management and mobile Linux developer at Red
  Hat, proudly announced last evening, November 30, that a usable
  release of the Secure Boot bootloader is now available for download.

  Dubbed shim, this software is designed for all Linux-based operating
  system that want to support secure boot and that do not want to get in
  cahoots with the greedy Microsoft Corporation.

  "As of 17:00 EST today, I am officially (rather than merely
  effectively) no longer employed by Red Hat, and this binary is being
  provided by me rather than them, so don't ask them questions about
  it."

  "Special thanks to everyone at Suse who came up with the MOK concept
  and did most of the implementation work - without them, this would
  have been impossible." said Matthew Garrett in the blog announcement.
  [...]
  "On boot, the end-user will be prompted with a 10-second countdown and
  a menu. Choose "Enroll key from disk" and then browse the filesystem
  to select the key and follow the enrolment prompts."

  "Any bootloader signed with that key will then be trusted by shim, so
  you probably want to make sure that your grubx64.efi image is signed
  with it." continued Matthew Garrett in the announcement.

also:

Shimming your way to Linux on Windows 8 PCs
http://www.zdnet.com/shimming-your-way-to-linux-on-windows-8-pcs-7000008246/

  This approach is not the same as the one that Garrett devised for use
  with Fedora Linux. That approach uses a Fedora-specific key that's
  based on a Microsoft/Verisign-supplied Secure Boot key.

  While that meant dealing with Microsoft, it was as Garrett had written
  earlier, "Easy enough for us [Red Hat] to do, but not necessarily
  practical for smaller distributions." It's also, as The Linux
  Foundation has found, in its so-far failed attempts to obtain a
  universal Secure Boot key for Linux distributions, really not that
  easy at all.

  What Garrett has done with his shim approach is to create a signed
  boot-loader that can add keys to its own database. This is built on
  SUSE's bootloader design. In the SUSE design, the boot-loader has its
  own key database, besides the UEFI specification's key database.


I'm confused. This last article implies the shim being made available is
independent of the solution the Linux Foundation was working on (if the
Foundation has failed to obtain a key, then it can't be their solution
being released), even though it sounds like the same people and the same
design.

 -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/

More information about the Discuss mailing list